CVE-2024-46993: Electron vulnerable to Heap Buffer Overflow in NativeImage

June 30, 2025 (updated July 1, 2025)

The nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image’s height, width, and contents.

References

github.com/advisories/GHSA-6r2x-8pq8-9489
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-6r2x-8pq8-9489
nvd.nist.gov/vuln/detail/CVE-2024-46993

Code Behaviors & Features

Detect and mitigate CVE-2024-46993 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →